Thursday Feb 19, 2015

Look, Puppies! And Other Stories from the Utility Industry’s Digital Transformation

The digital revolution is creating abundance in almost every industry—turning spare bedrooms into hotel rooms, low-occupancy commuter vehicles into taxi services, and free time into freelance time. This abundance is delivered on mobile devices. One industry, however, is using mobile apps to help its customers do less.

The utility industry is using smartphones to help its customers conserve energy in their daily lives by tapping into smart meters.

The results can be powerful. Armed with information from smart meters, consumers can reduce their energy bill by 20 percent. Using the dishwasher at 12 a.m., for example, will cost less than running it after dinner when everyone else is doing the same. To provide a wider economic lens, if only 10 percent of American households reduced energy consumption by 26 percent, the excess energy could power 2.8 million homes or reduce energy bills by US$4 billion annually.

In Belgium, smartphones and tablets provided a ubiquitous platform to deploy energy-saving applications. So Electrabel, Belgium’s largest energy company, launched a campaign to provide smart boxes, smart thermostats, and smart plugs that would allow homeowners to view power usage and control appliances from their mobile devices. A great idea! But how to make it all secure?  

Providing digital access to all of the appliances in someone’s home requires rethinking security: Which users in the household would be allowed to control the devices? How can the utility company detect fraud and take corrective action? With all of these devices online, how can the utility company manage access by administrators? How can it enable consumers with simple services like password reset and profile changes? Not surprisingly, 40 percent of the attacks on the energy and utilities sector have come in the form of web application attacks.

To keep its smart meter and mobile services from going to the dogs, Electrabel used Oracle’s security solutions. You can read about Electrabel’s implementation in Oracle Magazine, along with another interesting use case at Vodafone Group.

Electrabel was so confident in its solution that it launched a puppy-heavy national ad campaign to encourage participation. Here are more puppies. Need more? Here.

Stories like Electrabel’s are only the beginning. Cisco estimates that by 2020, there will be 50 billion devices on the planet and, according to the report, 69 percent of the value will be people-centric communication, which makes the Electrabel story that much more important—because the interaction between devices and people will rely on similar security processes.

Some estimates show that the smart home market will double by 2018. Like Electrabel, the industry must do the work to keep criminals from hacking these applications and stealing personal data—or even worse, using these services as an entry point to cause potentially catastrophic failures like the attacks against SCADA systems.

Building security into new services is critical for the utilities industry—just as it will be for every business embarking on a digital transformation.

Wednesday Aug 27, 2014

A Journey from Customization to Standardization - Umer Aziz

It was a cold evening back in fall 2010 when a succinct but impressive cake cutting ceremony was held at Oslo’s massive indoor stadium, Telenor Arena. The ceremony progressed with some speeches and presentations, leading to a delicious cake and refreshments.  The gathering also comprised of brilliant IT Security and Identity & Access Management professionals, who were accompanied by personnel from other IT disciplines. Most of the audience showed great enthusiasm and pitched very interesting questions which were responded with great passion and confidence by those energetic professionals.

It was the launching ceremony of an application that received OracleFusion Middleware Innovation award at Oracle Open World, in the same year. The application was built on the concept of ‘Identity as a service’ for group companies and proved to be a great addition in application portfolio of our Shared Services organization.

Customized GUI over top of Oracle Identity Manager
The application was built as a customized layer upon Oracle Identity Manager 10g and offered user friendly Certification audits and Access Request Management, powered by a multi-tenant architecture. The features were a bit early of their time in IdM world and were key reasons to build customized layer over top of standard solution of Oracle. Though it was not the first time that we built customized application using APIs of standard identity manager, we had already done that in the form of “user creation management GUI” on top of Oracle Identity Manager 9i.

Shortcomings of Customized solution
Though customization results a product according to customer’s desire and fulfills requirements more precisely, but we shall have to believe that technology has somewhat matured recently and companies are offering off-the shelf solutions, better than the traditional tailored products.

Following are the major shortcomings of Customized solution that were faced.

  • A tailored solution is always more expensive than using an off-the shelf product. The logic is simple – customized product are made for a single customer and consequently all development expenses are borne by one entity.
  • Upgrade to newer version is always a big challenge when using a customized solution, but it becomes even bigger when customization is heavily dependent upon the application interfaces (APIs and WebServices). I still remember the mayhem while upgrading from OIM 10g to OIM 11gR1 :)
  • Maintenance and development of a customized solution (application) requires considerable time and resources as compared to the standard solution. A dedicated team of programming geeks is a must, for successfully running a tailored solution. Another relevant challenge is training and coaching of newly hired resources. Every time a new resource is hired to fulfill a vacant position, a hands-on training will be required for him to understand the architecture and approach used for customization.
  • The product support community does not offer any support for a customized product, so if you get a bug or challenge in your customized solution, you will be the only one to resolve that.
  • It is admitted by many of the solution providers, that customization has resulted in slow performance of their application instances. Allowed customization approaches use standard APIs or related interfaces to interact with core application, which have always been considered performance degraders due to the formalities of applications towards external interfaces. This challenge is not only true for Identity Management but similar feedback has been reported by experts of other products i.e. Oracle E-business suite and Oracle SOA suite.


Oracle’s Beta testing program
The Beta Testing Program is a joint venture featuring Oracle and its customers. This initiative provides a structured approach to include users of Oracle applications from selective organizations in the Beta Testing Programs. The overall goal is to allow selected users to perform in depth testing and analysis of Oracle's new products and releases in order to help Oracle deliver better products to market. As a beta testing participant, testers perform in-depth testing of the next generation of Oracle products. This also helps to build personal knowledge base, become an industry recognized technology leader, and help influence Oracle's future product direction.

Our organization, as a Shared Services Solution Provider of Identity and Access Management, was also involved in the beta testing for patch set 2 (PS2) of Identity and Access Management suite 11gR2. The focus area from our side was limited to Identity Governance – more specifically, features of Multi-Tenancy and Access Request Management.

Decommissioning of Tailored layer and rollout of Off-The-Shelf Solution
It's a common misunderstanding that boundaries limit creativity. It may sounds unreasonable, but boundaries can actually boost creativity. Instead, we need to impose boundaries by tightening our processes and one way to achieve this effectively is with Off-The-Shelf solutions.

As involvement in beta testing program resulted in the confidence on much awaited functionalities, last week we have decided to decommission the customized layer by moving functionalities in OIM 11gR2 PS2. The work has actually been started and intention is to complete before summer vocation of 2014. We're crossing our fingers and hoping that the rollout of Off-The-Shelf solution stays fine.

Umer Aziz is an ITIL Specialist Change Manager with Telenor Global Shared Services and has an extensive consulting background in Identity and Access Management in real world deployments. 

Tuesday Jun 10, 2014

Nominations now open for the Oracle FMW Excellence Awards 2014

2014 Oracle Excellence Award Nominations
Who Is the Innovative Leader for Identity Management?



•    Is your organization leveraging one of Oracle’s Identity and Access Management solutions in your production environment?
•    Are you a leading edge organization that has adopted a forward thinking approach to Identity and Access Management processes across the organization?
•    Are you ready to promote and highlight the success of your deployment to your peers?
•    Would you a chance to win FREE registration to Oracle OpenWorld 2014?


Oracle is pleased to announce the call for nominations for the 2014 Oracle Excellence Awards: Oracle Fusion Middleware Innovation.  The Oracle Excellence Awards for Oracle Fusion Middleware Innovation honor organizations using Oracle Fusion Middleware to deliver unique business value.  This year, the awards will recognize customers across nine distinct categories, including Identity and Access Management

Oracle customers, who feel they are pioneers in their implementation of at least one of the Oracle Identity and Access Management offerings in a production environment or active deployment, should submit a nomination.  If submitted by June 20th, 2014, you will have a chance to win a FREE registration to Oracle OpenWorld 2014 (September 28 - October 2) in San Francisco, CA.  Top customers will be showcased at Oracle OpenWorld and featured in Oracle publications.  

The  Identity and Access Management Nomination Form

Additional benefits to nominees
Nominating your organization opens additional opportunities to partner with Oracle such as:
•    Promotion of your Customer Success Stories
Provides a platform for you to share the success of your initiatives and programs to peer groups raising the overall visibility of your team and your organization as a leader in security

•    Social Media promotion (Video, Blog & Podcast)
Reach the masses of Oracle’s customers through sharing of success stories, or customer created blog content that highlights the advanced thought leadership role in security with co-authored articles on Oracle Blog page that reaches close to 100,000 subscribers. There are numerous options to promote activities on Facebook, Twitter and co-branded activities using Video and Audio.

•    Live speaking opportunities to your peers
As a technology leader within your organization, you can represent your organization at Oracle sponsored events (online, in person or webcasts) to help share the success of your organizations efforts building out your team/organization brand and success.

•    Invitation to the IDM Architect Forum
Oracle is able to invite the right customers into the IDM Architect Forum which is an invite only group of customers that meet monthly to hear technology driven presentations from their own peers (not from Oracle) on today’s trends.  If you want to hear privately what some of the most successful companies in every industry are doing about security, this is the forum to be in. All presentations are private and remain within the forum, and only members can see take advantage of the lessons gained from these meetings.  To date, there are 125 members.

There are many more advantages to partnering with Oracle, however, it can start with the simple nomination form for Identity and Access Management category of the 2014 Oracle Excellence Award

Monday May 05, 2014

Is Mobility Creating New Identity and Access Challenges? - by Marcel Rizcallah

Are mobile, social, big data and cloud services generating new Identity and Access Management challenges? Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting and today will highlight some of the new IAM challenges faced by customers with Cloud services and Mobile applications.

Sales force users ask more often for iPad or mobile devices to access Cloud services, such as CRM applications. A typical requirement is to use an AD or corporate directory account to login seamlessly into the Cloud service, either with a web browser or a downloaded application on a device. The benefits, compared to a different login/password provided by the Cloud provider, is more security and better identity governance for their organization; password policy is enforced, CRM services are granted to sales people only and Cloud accounts are de-provisioned immediately when people leave.

Integrating a mobile device browser with the intranet is easily addressed with federation solutions using the SAML standard. The user provides his login and password only once and tools such as Oracle Mobile Security Suite and Oracle Access Manager provide the end-to-end integration with the corporate directory.

Authenticating through a downloaded application provided by the Cloud service may be more complex; the user authenticates locally and the device application checks first the credentials in the cloud environment. The credentials are relayed to the organization’s intranet using REST services or standards such as SAML to validate the credentials.

Integrating IAM services between SaaS applications in the Cloud and the corporate intranet may lead to a weird situation. Let’s look at this example: one of my customers discovered that their CRM SaaS application, provided by a public Cloud environment, was supposed to be SAML compliant, yet did not correctly generate one of the SAML messages when authenticating through a downloaded application on the device. Despite all parties agreeing that this is a bug, fixing the Cloud application was not an option because of the possible impact on millions of Cloud customers. On the other hand, changing the Oracle Access Manager product, fully compliant to SAML 2.0, was not an option either. The short term solution would be to build a custom credential validation plug-in in Oracle Access Manager or an integration tool, such as Oracle API Gateway to transform the wrong message on the fly! Of course this should not stay a long term solution!

When we ask customers which SSO or Identity Governance services are the priority for integrating Cloud SaaS applications with their intranet, most of them says it’s SSO. Actually SSO is more urgent because users want to access Cloud services seamlessly from the intranet. But that’s the visible part of the iceberg; if Cloud accounts are not aligned to employees referential or sales force users, customers will end up paying more license fees to the Cloud provider than needed. SSO with Oracle Access Manager will improve customer experience, but cloud provisioning / de-provisioning with Oracle Identity Governance will optimize Cloud costs.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Tuesday Sep 17, 2013

OOW 2013 Content: Securely Enabling Mobile Access for Business Transformation

Online communication has been transformed by the advent of effective mobile computing, and more organizations are providing employee and customer access to services via mobile devices.

Securely Enabling Mobile Access for Business Transformation [CON8896] will review the security and usability concerns that are further compounded by bring your own device (BYOD) policies. In addition to speakers from Oracle, this session will also include presenters Arup Thomas (Verizon Wireless) and Abdullah Togay (Ministry of National Education).

Plan on attending this session on:

Tuesday, Sep 24, 12:00 PM - 1:00 PM - @ Moscone West - 2018

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

Thursday May 16, 2013

Congrats to Virgin Media: Best IAM Project Award

We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.

In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.

You can learn more about the Virgin Media story by viewing this on demand webcast here.

Thursday May 02, 2013

European Identity Conference

This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference.  You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.

If Your Customers Don't Feel Safe, They Will Leave You

More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.

See Mike Neuenschwander will speak in the following sessions:

  • May 14th 2:00 pm :The Future of IAM
  • May 15th 10:30 am: Next Generation Cloud and Mobile Identity Management 
  • May 15th 2:00 pm: The Future of IAM: "Do not kill IAM, improve and extend it"
  • May 16th 2pm: Life Management Platforms, Personal Data, Private Cloud 

Tuesday Mar 19, 2013

Identity Management Down Under at Victoria University

Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.

Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.

Monday Feb 25, 2013

You Are Invited: Trizetto Discusses HIPAA This Thursday

Oracle Corporation
Webcast Trizetto Achieves HIPAA Compliance with Identity Management. Oracle Identity Management.

Learn How Oracle Identity Management Can Lower Compliance Costs and Reduce Audit Exposure

Securing patient information means controlling user access to data and applications. Unfortunately, without automation access controls can quickly erode. And the cost of maintaining user access can be expensive—in some organizations, compliance costs are consuming up to 40% of their IT budget.

As Trizetto embarked on a project to streamline HIPAA compliance, Oracle Identity Management provided a foundation for streamlining the audit process and reducing the cost of manual controls.

Join This Important Security Webcast

You’ll hear Darrel Carson, Trizetto Program Manager for Identity and Access, discuss how Trizetto took a platform approach to identity management as part of a long-term plan to streamline HIPAA compliance and secure user access.

You’ll learn how to:

  • Automate rigorous and intrusive government controls
  • Provide faster results with automated remediation
  • Streamline access management through service desks
  • Create a foundation for scale using a platform approach to identity management

Oracle Identity Management helped Trizetto reduce the password footprint and service desk costs while improving the end user experience. Join us and find out how.

Register now for this Webcast, “Trizetto Achieves HIPAA Compliance with Identity Management.”

Join us for this Webcast, Trizetto Achieves HIPAA Compliance with Identity Management.
Thurs., February 28, 2013
10 a.m. PT / 1 p.m. ET
Presented by:
Darrel Carson
Darrel Carson
Program Manager for Identity and Access, Trizetto
Naresh Persaud
Naresh Persaud
Director Product Marketing, Oracle
Hardware and Software, Engineered to Work Together
Copyright © 2013, Oracle and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement



Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Monday Oct 22, 2012

Free SANS Mobility Policy Survey Webcast - October 23rd @10:00 am PST

Join us for a free webcast tomorrow, October 23 @ 10:00 am PST as SANS presents the findings from their mobility policy survey.

-- Register here for Part 1: https://www.sans.org/webcasts/byod-security-lists-policies-mobility-policy-management-survey-95429

This is a great opportunity to see where companies are with respect to mobile access policies and overall mobile application management.

This first part is entitled: BYOD Wish Lists and Policies.  Part 2 will be run on October 25th and is entitled: BYOD security practices.

-- Register here for Part 2: https://www.sans.org/webcasts/byod-security-practices-2-mobility-policy-management-survey-95434

Tuesday Aug 07, 2012

User Interface Changes in Oracle Identity Manager 11gR2


As part of the Oracle Identity Management 11gR2 launch, we were able to talk to some of the key people on the team that are really driving innovation.  Recently, I was able to catch up with Marc Boroditsky, VP of Product Management, and I asked him about the changes that the product team made to the access request user interfaces in the R2 release.

Our interview was captured as a short podcast.  Click here to listen.

Wednesday Mar 28, 2012

Derek Brink shares "Worst Practices in IT Security"

Derek Brink is Vice President and Research Fellow in IT Security for the Aberdeen Group.  He has established himself as an IT Security Expert having a long and impressive career with companies and organizations ranging from RSA, Sun, HP, the PKI Forum and the Central Intelligence Agency.  So shouldn't he be talking about "Best Practices in IT Security?"

In his latest blog he talks about the thought processes that drive the wrong behavior, and very cleverly shows how that incorrect thinking exposes weaknesses in our IT environments.

Check out his latest blog post titled: "The Screwtape CISO: Memo #1 (silos, stovepipes and point solutions)"

Hear Derek speak live during the Aberdeen event series 

Monday Mar 26, 2012

IOUG Webcast Series on Identity Management

Identity Management for Business Empowerment

Identity Management has gone from the realm of IT tools to being a business solution. Security and Identity Management offer confidence in doing secure and compliant business. But more than that, Identity Management today contributes to business growth with secure social, cloud, mobile and internal & external ecosystem enablement.

Cloud computing has heightened the interest in user access security, mobile computing brings access to information beyond the enterprise and a bring your own device culture in-house, social media has added a new dimension to user identity and increasing security compliance pressure has made organizations rethink their roles and entitlements strategy.

To discuss the industry trends, maturity and framework for security, compliance and business empowerment with identity management, Oracle is proud to collaborate with IOUG to launch a series of live webcasts. Covering a span of topics from identity platform to entitlements managements, privilege access management and cloud, mobile and social security, these webcasts will provide direct access to subject matter experts and technology specialists. Hear first-hand about best practices, a pragmatic approach to security implementation, customer success stories and more.

Register today for the individual webcasts or the series.

And just a reminder that the conversation starts at COLLABORATE 12 in Las Vegas from April 22nd – 26th. In addition to our conference sessions, as an added value this year, we are offering a half-day deep dive session on Oracle Identity Management: Building a Security and Compliance Framework for Oracle Systems. The session is scheduled for Sunday, April 22nd from 9 am to 3 pm and will cover relevant topics such as:

• A Primer on Identity Management
• Security and Compliance with Oracle Identity Management
• Security for Oracle Applications, Fusion Applications
• Managing Identities in The Cloud and Mobile World
• Best Practices: Building an Identity Roadmap and Getting Started

To get a head start on your compliance and security program, pre-register for this session today.

Wednesday Mar 07, 2012

Identity and Access Partner Interview


[Read More]

Tuesday Feb 07, 2012

Oracle Named a Leader in both User Provisioning and Identity and Access Governance

Oracle Identity Management solutions were positioned in the Leaders quadrants, in the two recently published Gartner Magic Quadrant reports. This post is the first in a series of multi-part blog discussion, and over the course of next few weeks, we’d be covering details on what we believe make Oracle’s User Provisioning (Identity Administration) solution, Oracle Identity Manager and our Identity and Access Governance solution, Oracle Identity Analytics truly unique and industry leading.

Gartner published their first-ever Magic Quadrant for Identity and Access Governance and Oracle is a leader.

Source: Gartner Magic Quadrant for Identity and Access Management, Dec. 15, 2011. Doc ID#223606. Authors: Earl Perkins and Perry Carpenter. Page 3

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Identity and Access Governance solutions offer business users identity analytics and reports to address governance, audit and compliance challenges. According to Gartner, leaders in Identity and Access Governance (IAG) are “composed of vendors that provide products with a good functional match to client requirements for establishing a governance system for access. These vendors have been successful in building an installed base and revenue stream within the IAG market, and have a relatively high viability rating (because of IAG revenue). Leaders also show evidence of superior vision and execution for anticipated requirements, as they relate to technology, methodology or means of delivery. Leaders typically have significant market share, strong revenue growth, and demonstrated early customer satisfaction with IAG capabilities and/or related service and support.”

Oracle Identity Analytics is an advanced Identity and Access Governance solution from Oracle offering rich analytics, prioritized risk scoring, business-friendly dashboards, and advanced compliance features that monitor, analyze, review, and govern user access to mitigate risk, build transparency and satisfy compliance mandates.

The key challenge we often hear organizations talk about is scaling the compliance processes. Performing access certifications across not a handful but 100s of applications requires not just an automated solution but a powerful (but business friendly) process engine solution powered by analytics to make sense of all the data. To make it a real world discussion rather than a theoretical one, join ING and Oracle on a live webcast:  Scaling Role Management and Access Certification to Thousands of Applications on Wednesday, April 11, 2012 10:00 AM PDT where ING discusses how they successfully tackled the scale challenge.

Close on its heels, Gartner also published its 2011 Magic Quadrant for User Provisioning and Oracle is a Leader.

Source: Gartner Magic Quadrant for User Administration/Provisioning, Dec. 22, 2011. ID# G00219354. Authors: Perry Carpenter and Earl Perkins. Page 4

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Two things are clear with these reports. Organizations are looking at integrated, platform solutions to meet their audit and compliance needs. Platform approach is the only viable approach to close security and audit gaps, reduce TCO and derive the complete picture. And we believe with Oracle’s positioning in the leaders quadrant for both User Provisioning and Identity and Access Governance, organizations are assured that they are not only getting the complete solution but also best-in-class, backed by a strategic vision and strong executive commitment. Seamless integration with Oracle Identity Manager 11g makes Oracle Identity Analytics 11g industry's only access governance solution to offer an accurate closed-loop remediation solution with risk feedback calculated over a user’s lifecycle as actionable insight for certification reviews. To get customers’ perspectives on the implementation and results from the platform approach, we recommend you look at our monthly webcast series on the subject:

Customers Talk: Identity as a Platform.

If you are looking at user provisioning and/or compliance solutions, we suggest you start by downloading these analyst reports and our recently issued press release on the subject. For more information on Oracle’s platform approach to Identity Management and to learn more about our best-in-class Identity Management solutions, visit us at www.oracle.com/identity or contact us via our online communities: Facebook, Blog and Twitter.

You may also find the following resources helpful:

Ongoing Webcast Series: Customers Talks: Oracle Identity Management as a Platform

ISACA Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Customer stories: Tackling Compliance Challenges with Oracle Identity Analytics

What’s New in Oracle Identity Manager 11g

Wednesday Jan 18, 2012

XACML Standards Showcase at RSA Conference 2012

External Authorization does for authorization what Single Sign-On solutions did for authentication many years ago. Externalizing authorization policies from applications not only centralizes authorization policy enforcement but also standardizes how authorization policies are written and enforced by applications. Just like SQL standardized the query language for databases, XACML or eXtensible Access Control Markup Language standardizes attribute based access control policies for applications. XACML 3 is the latest revision of this standard that facilitates extremely flexible expressions for access control. 

Oracle Entitlements Server is our external authorization solution that supports a broad range of authorization standards giving our customers plenty of choices and flexibility for deployment.  Kuppinger Cole recently released a paper describing how organizations can "future proof" their enterprise security by deploying Oracle Entitlements Server.  By taking a declarative security approach, security policy can be flexible and distributed across multiple applications consistently. You can get a copy of the report here.

At this year's RSA Conference, the OASIS group will be organizing an interop showcase for XACML 3. Members of OASIS including Oracle will be onhand to showcase the features of the XACML Intellectual Property Control Profile. Stop by Booth #129 at RSA to learn all about the latest in XACML. 

Thursday Jan 12, 2012

Security Newsletter January Edition is Out Now

Security Inside Out Newsletter

The January edition of the very popular Security Inside Out Newsletter is now out. This edition puts the spotlight on Security in Healthcare. Whether it is patient privacy or complying with federal and industry regulations like HIPAA, Sarbanes Oxley (SOX), HITECH and more, security issues are top of mind for most healthcare organizations. Oracle's Security Inside Out approach offers comprehensive protection for your data, identity and applications. Check out the top feature in the newsletter to hear how some of your peer organizations are meeting their security, compliance and patient care goals with Oracle Security and Identity Management solutions.

If you attended our recent Enterprise Single Sign-On (ESSO) webcast, you already know that companies on average realize over 140% in return-on-investment (ROI) with the ESSO implementation. Organizations have been able to slash over 80% of password related calls to their helpdesk saving a tremendous amount in helpdesk overhead and improving user productivity. Get your hands on the ESSO Buyers Guide and don't miss this feature article in the newsletter that discusses recent customer success stories.

This edition is also your one-stop shop for getting your hands on the latest materials including a recently issued IDC Report on Data Security, Oracle whitepaper comparing Oracle and Novell Identity Management solutions, SANS product review report on Oracle Database Vault and more. Keep up to date on the latest Oracle Security news, upcoming events, webcasts and more by subscribing to the newsletter now.

Happy reading!

Tuesday Jan 10, 2012

Customers Talk: 5 Identity Platform Webcasts You Can’t Miss


2011 saw talk of Identity Management emerging from under the shadows of IT to serve the needs of the business. We predict 2012 will see a lot of attention paid to how Identity Management is enabling the business, transforming the way IT is leveraged to meet business objectives.

A common theme among their stories is that Identity Management is not a point solution. Identity Management is a platform of complimentary solutions with a rationalized architecture that can be adopted separately but provide strong interoperability to reduce total cost of ownership. A recent study by Abderdeen noted that organizations who have taken a platform approach can save up to 48%.

Oracle is proud to launch a series of webcasts where we’ll explore the diverse challenges that organizations are facing, and you can hear real customers speak to their specific business objectives and how they leveraged the Identity as a Platform approach to tackle those. In this 5-webcast series, you will hear first-hand from your peers at SaskTel, Agilent, Cisco, ING and Toyota, and learn how leading organizations are rethinking Identity Management as a business versus an IT initiative. You will find that the challenge each of these customers was looking to solve was quite different from each other, yet there is a commonality in their approach to the solution.

To register for one or more of these webcasts and to know more, click here.

Build a Secure Cloud with Oracle Identity Management

Wednesday, January 25, 2012 10:00 AM PST

Presenters: Brian Baird, Chief Technology Officer Identity Management Center of Excellence, SaskTel and Marc Chanliau, Director Product Management, Oracle

Best Practices, Getting Started with an Identity Platform

Wednesday, February 15, 2012 10:00 AM PST

Presenters: Balganesh Krishnamurthy, Agilent and Naresh Persaud, Director, Product Marketing, Oracle

Cisco's Platform Approach to Identity Management

Wednesday, March 14, 2012 10:00 AM PDT

Presenters: Ranjan Jain, Domain Architect for Enterprise Identity, Cisco and Michael Neuenschwander, Sr. Director, Product Management, Oracle

Scaling Role Management and Access Certification to Thousands of Applications

Wednesday, April 11, 2012 10:00 AM PDT                                                                           

Presenters: Mark Robison, Enterprise Architect, ING and Neil Gandhi, Principal Product Manager, Oracle

Putting Customers First: Identity Platform as a Business Enabler

Wednesday, May 30, 2012 10:00 AM PDT

Presenters: Mike Colbus, National Technology Delivery Manager, Toyota and Marc Boroditsky, Vice President Product Management, Oracle

Register today and discover how Identity as a Platform can transform the way you do business.

Tuesday Nov 15, 2011

Limiting Audit Exposure and Managing Risk – Q&A and Follow-Up Conversation

Thanks to all who attended the live ISACA webcast on Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics. We were really fortunate to have Don Sparks from ISACA moderate the webcast featuring Stuart Lincoln, Vice President, IT P&L Client Services, BNP Paribas, North America and Neil Gandhi, Principal Product Manager, Oracle Identity Analytics. Stuart’s insights given the team’s role in providing IT for P&L Client Services and his tremendous experience in identity management and establishing sustainable compliance programs were true value-add at yesterday’s webcast.

And if you are a healthcare organization looking to solve your compliance and security challenges, we recommend you join us for a live webcast on Tuesday, November 29 at 10 am PT. The webcast will feature experts from Kaiser Permanente, PricewaterhouseCoopers and Oracle and the focus of the discussion will be around the compliance challenges a healthcare organization faces and best practices for tackling those. Here are the details:

Healthcare IT News Webcast: Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics

Tuesday, November 29, 2011
10:00 a.m. PT / 1:00 p.m. ET

Register Today

The ISACA webcast replay is now available on-demand and the slides are also available for download. Since we didn’t have time to address all the questions we received during the live Q&A portion of the webcast, we have captured responses to the remaining questions here. Please continue to provide us your feedback and insights from your experience in deploying identity compliance solutions.

Q. Can you please clarify the mechanism utilized to populate the Identity Warehouse from each individual application's access management function / files?

A. Oracle Identity Analytics (OIA) supports direct imports from applications. Data collection is based on Extract, Transform and Load (ETL) that eliminates the need to write connectors to different applications. Oracle Identity Analytics’ import engine supports complex entitlement feeds saved as either text files or XML. The imports can be scheduled on a periodic basis or triggered as needed. If the applications are synchronized with a user provisioning solution like Oracle Identity Manager, Oracle Identity Analytics has a seamless integration to pull in data from Oracle Identity Manager.

Q.  Can you provide a short summary of the new features in your latest release of Oracle Identity Analytics?

A. Oracle recently announced availability of enhanced Oracle Identity Analytics. This release focused on easing the certification process by offering risk analytics driven certification, advanced certification screens, business centric views and significant improvement in performance including 3X faster data imports, 3X faster certification campaign generation and advanced auto-certification features, that  will allow organizations to improve user productivity by up to 80%. Closed-loop risk feedback and IT policy monitoring with Oracle Identity Manager, a leading user provisioning solution, allows for more accurate certification reviews. And, OIA's improved performance enables customers to scale compliance initiatives supporting millions of user entitlements across thousands of applications, whether on premise or in the cloud, without compromising speed or integrity.

Q. Will ISACA grant a CPE credit for attending this ISACA-sponsored webinar today?

A. From ISACA: Hello and thank you for your interest in the 2011 ISACA Webinar Program!  Unfortunately, there are no CPEs offered for this program, archived or live.  We will be looking into the feasibility of offering them in the future. 

Q. Would you be able to use this to help manage licenses for software? That is to say - could it track software that is not used by a user, thus eliminating the software license?

A. OIA’s integration with Oracle Identity Manager, a leading user provisioning solution, allows organizations to detect ghost accounts or unused accounts via account reconciliation. Based on company’s policies, this could trigger an automated workflow for account deletion or asking for further investigation. Closed-loop feedback between the two solutions would then allow visibility into the complete audit trail of when the account was detected, the action taken, by whom, when and the current status.

Q. We have quarterly attestations and .xls mechanisms are not working. Once the identity data is correlated in Identity Analytics, do you then automate access certification?

A. OIA’s identity warehouse analyzes and correlates identity data across various resources that allows OIA to determine a user’s risk profile, who the access review request should go to, along with all the relevant access details of the user. The access certification manager gets notification on what to review, when and the relevant data is presented in a business friendly screen. Based on the result of the access certification process, actions are triggered and results recorded and archived. Access review managers have visual risk indicators that also allow them to prioritize access certification tasks and efforts.

Q. How does Oracle Identity Analytics work with Cloud Security?

A. For enterprises looking to build their own cloud(s), Oracle offers a set of security services that cloud developers can leverage including Oracle Identity Analytics.  For enterprises looking to manage their compliance requirements but without hosting those in-house and instead having a hosting provider offer managed Identity Management services to the organizations, Oracle Identity Analytics can be leveraged much the same way as you’d in an on-premise (within the enterprise) environment. In fact, organizations today are leveraging Oracle Identity Analytics to manage identity compliance in both these ways.

Q. Would you recommend this as a cost effective solution for a smaller organization with @ 2,500 users?

A. The key return-on-investment (ROI) on Oracle Identity Analytics is derived from automating compliance processes thereby eliminating administrative overhead, minimizing errors, maintaining cost- and time-effective sustainable compliance processes and minimizing audit exposures and penalties.  Of course, there are other tangible benefits that are derived from an Oracle Identity Analytics implementation as outlined in the webcast. For a quantitative analysis of your requirements and potential ROI calculation, we recommend you refer to the Forrester Study on Total Economic Impact of Oracle Identity Analytics. For an in-person discussion, please email Richard Caldwell.

Thursday Nov 03, 2011

2011 Innovation Award Winners - Identity Management

The winners of 2011 Innovation Awards were announced last month during Oracle OpenWorld. The Award recognizes customers for achieving significant business value through innovative uses of Oracle Fusion Middleware.  For Identity Management, that meant deriving and proving exceptional business value, delivering architecture innovation, solving unique challenges and driving industry leadership. With over 20 nominations this year, the panelists had a difficult task ahead of them. One thing was certain though, the winners would be great examples of excepetional use of cutting-edge Identity Management solutions.

This year's winners demonstrated new ways of leveraging cloud and social environments to enhance customer interaction and service levels as well as building business intelligence from IT data to empower business and support management decisions. We congratulate the winners of 2011 Innovation Awards for Identity Management:

ING North America Insurance

Looking to streamline the access certification processes for in-time compliance and manage the complexity of user identity administration, ING North America Insurance implemented Oracle Identity Analytics and Oracle Identity Manager. A combination of detailed planning, close collaboration with Oracle and its implementation partner, and the use of advanced industry solutions allowed ING to achieve its compliance and governance goals. In addition, with business friendly reports and actionable insight, ING's implementation empowered business and offered greater transparency. The team was also able to clearly define, measure and present success metrics to the business.

College Board

With over 50 identity stores and multiple point solutions including some custom technologies, the organization found integrating applications and extending the identity management platform to be complex, time-consuming, costly and unscalable. The approach also left security gaps. To tackle these inefficiencies and unnecessary overhead, College Board started with the implementation of Oracle Identity and Access Management Suite Plus. Not only was the organization looking to seamlessly replace the old, non-standard custom system with a centralized, integrated, standards-based platform, College Board was also looking to leverage social media with the enterprise environment. The innovative integration with Oracle Identity Manager and Oracle Identity Federation allows the organization to reach millions of potential users via social media and offer advanced services to the users using federated login. The use of Oracle Access Manager and Oracle Directory Services enable secure authentication services for College Board's users.

TTNET A.S.

A subsidiary of Turk Telecom, TTNET serves over 6.5 million subscribers across Turkey, providing high technology broadband and other value-added services (VAS). TTNET's VAS are different web applications (each with their own authentication server and user repositories) and technologies coming from 10 different partners. Providing a seamless experience to the customer, thus, became a challenge. Lack of a common authentication platform also left security gaps. With the implementation of Oracle Identity and Access Management Suite Plus, TTNET launched its "Tek Sifre" (One Password) project VAS, providing its subscriber base unified single sign-on with secure and standard authentication and user administration in the background. Now, the customers can use secure single sign-on while the company leverages a standards based user access management and identity adminsitration platform for identity management and compliance, SLA reporting.

ManpowerGroup

Here is a great example of cloud-based Identity-as-a-Service implementation. The company wanted to enforce and streamline user access compliance and automate user provisioning but without having the burden to maintain the infrastructure in-house. So, leveraging Oracle Identity Manager and Oracle Identity Analytics technologies via Simeio Solution's DirectAXS offering, the company was able to achieve its compliance, security and user productivity goals. The implementation benefits included streamlined and automated user provisioning, complete with audit trails and efficient access certification with complete view of user privileges and advanced detection and remediation of ghost accounts.

For information on the winners of the Fusion Middleware Awards for 2011, visit:

http://www.oracle.com/us/corporate/awards/index.html

Thursday Oct 27, 2011

Limting Audit Exposure and Managing Risk: A BNP Paribas, North America Success Story

Audits are not something we look forward to typically. Because audits mean we have to prepare for the exercise in addition to doing our daily jobs. Compliance mandates and company policies, however, have made access certification audits a necessary job function. In a large enterprise, that would mean, reviewing access for thousands of users across hundreds of applications in a dynamic environment i.e., where users change jobs, locations, move to and from projects, join or leave the company. The traditional spreadsheet model clearly can't work here. And even if you are somehow able to enforce access policies, how do you prove to your auditors the same? And hence, Audit Eye! If you haven't seen the video, you should check it out now.

 

BNP Paribas, North America took the access certification challenge head-on and triumphed. Are you looking at solving your complex access certification (attestation) challenges? Looking to make the the access certification process simpler, quicker and more reliable? Then, we invite you to come listen to Stuart Lincoln's presentation on a live ISACA webcast on how BNP Paribas, North America implemented well thought-out strategy and solution to make access certification review processes sustainable, convenient and streamlined and audits - a lot less painful. We look forward to a good conversation.

Live ISACA Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics
Thursday, November 10, 2011
9 a.m. PDT / 12 p.m. EDT
Register Here

Wednesday Sep 28, 2011

Mobile Security Tradeoffs: OOW Session

The rapid adoption of mobile computing and migration of fraud attacks to mobile devices is forcing enterprises, banks and e-commerce providers to rely on sophisticated fraud detection capabilities. Recently Gartner put out a research note which estimates that by year end 2013, 12.5% of all ecommerce transactions will be conducted via mobile devices. Gartner also says that “The evolution of fraud detection tools will play a part in turning mobile commerce into location- and context-aware commerce by increasing the confidence of businesses, financial institutions and end users”. In the latest release of Oracle Adaptive Access Manager (OAAM), we added several enhancements which deliver context-aware security for mobile computing which are on par with fraud detection capabilities that exist for traditional computing.

Oracle Adaptive Access Manager offers a layered security model that enhances the security of online transactions, including mobile transactions, with multiple different capabilities:

  • Device Identification & Location Awareness: Oracle Adaptive Access Manager (OAAM) delivers fingerprinting and geo-location for mobile devices to quickly detect and prevent new types of fraud or misuse. So let’s suppose John Doe always logs into his online banking application from his laptop or mobile device located in San Francisco. Now suppose there is a transaction to transfer thousands of dollars from John’s bank account and suppose this transaction is initiated from somewhere outside of North America from a device whose identity doesn’t match John’s PC or his mobile. OAAM flags this as an anomaly and can either block the transaction or challenge the user.
  • Predictive Risk Analytics: OAAM has always delivered sophisticated risk analytics which factor risk to detect if a transaction is anomalous or not. In the latest release, OAAM has added predictive risk analysis to complement its flexible rules engine and pattern based auto-learning capabilities. So organizations can rely on a combination of location, end point identity, historical behavior and context-awareness to guarantee higher identity assurance for access from mobile devices.
  • Answer Logic: This is a fuzzy logic based processing technique applied to challenge question responses and can increase the usability of a challenge answer flow by accepting variations of the valid answer. So if a fat-fingered user types in “Missus Smith” instead of “Misses Smith” as his mother’s maiden name, OAAM can automatically detect that this is a medium risk situation and allow the user to complete his transaction.

Join us on Tuesday Oct 4 at 10:15a in Moscone West 3022 to hear more from Mark Karlstrand, Sr. Manager of Product Management at Oracle, about how Oracle Adaptive Access Manager (OAAM) can help secure mobile transactions. Joshua Walderbach from Principal Financial Group will present a case study of OAAM.

For a complete schedule of Identity Management sessions at OpenWorld, see the Identity Management Focus On. 

Thursday Sep 15, 2011

Security Inside Out Newsletter - September Edition

This month’s edition of the Oracle Security Inside Out newsletter is now available.

In this edition we look at some of the OpenWorld sessions that you just don't want to miss. We also discuss Oracle Unified Directory 11g, and reveal the latest in identity management webcasts, videos, events and more.

If you don’t have a subscription to this bi-monthly security information update, you can sign up here.

For a full listing of all the Identity Management sessions at this year's OpenWorld, check out the FocusOn document.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today